Skip to content

Commit

Permalink
Add metadata to our publish task for Tekton Chains to observe & sign
Browse files Browse the repository at this point in the history
This commit adds an annotation to indicate that build provenance should be
generated and an `IMAGES` result composed of a comma-separated list of
imageNames+digest to be signed.

This change is based on
https://github.com/tektoncd/chains/blob/main/release/publish.yaml and
https://github.com/tektoncd/plumbing/blob/main/docs/signing.md
  • Loading branch information
Scott authored and tekton-robot committed Aug 13, 2021
1 parent 288a748 commit caa619b
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions tekton/publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: publish-release
annotations:
chains.tekton.dev/transparency-upload: "true"
spec:
params:
- name: package
Expand Down Expand Up @@ -52,6 +54,10 @@ spec:
value: "$(params.imageRegistryRegions)"
- name: OUTPUT_RELEASE_DIR
value: "$(workspaces.output.path)/$(params.versionTag)"
results:
# IMAGES result is picked up by Tekton Chains to sign the release.
# See https://github.com/tektoncd/plumbing/blob/main/docs/signing.md for more info.
- name: IMAGES
steps:

- name: create-ko-yaml
Expand Down Expand Up @@ -177,6 +183,8 @@ spec:
IMAGE_WITHOUT_SHA_AND_TAG=${IMAGE_WITHOUT_SHA%%:*}
IMAGE_WITH_SHA=${IMAGE_WITHOUT_SHA_AND_TAG}@${IMAGE##*@}
echo $IMAGE_WITH_SHA, >> $(results.IMAGES.path)
if [[ "$(params.releaseAsLatest)" == "true" ]]
then
crane cp ${IMAGE_WITH_SHA} ${IMAGE_WITHOUT_SHA_AND_TAG}:latest
Expand All @@ -193,6 +201,7 @@ spec:
else
TAG="$(params.versionTag)"
crane cp ${IMAGE_WITH_SHA} ${REGION}.${IMAGE_WITHOUT_SHA_AND_TAG}:$TAG
echo ${REGION}.$IMAGE_WITH_SHA, >> $(results.IMAGES.path)
fi
done
done

0 comments on commit caa619b

Please sign in to comment.